MAL-2026-6342 Malicious code in therdweb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117 The package's name 'therdweb' is a one-character variation of the popular 'thirdweb' SDK, while its contents README, source code, author field 'Micha...

Malicious code in thidweb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d Package is published as thidweb but its README, source comments, repo URL, and author metadata all identify it as big.js v7.0.1 by Mike McLaughlin...

MAL-2026-6343 Malicious code in thidweb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d Package is published as thidweb but its README, source comments, repo URL, and author metadata all identify it as big.js v7.0.1 by Mike McLaughlin...

MAL-2026-6340 Malicious code in rainbownkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a Package 'rainbownkit' is a single-character typosquat of the popular Web3 library 'rainbowkit'. The shipped source, README, repository URL, and autho...

Malicious code in rainbownkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a Package 'rainbownkit' is a single-character typosquat of the popular Web3 library 'rainbowkit'. The shipped source, README, repository URL, and autho...

CVE-2026-55199

A vulnerability in libssh2 allows a malicious SSH server to freeze connected clients during the handshake process. By sending a malformed packet, the server triggers a loop that exhausts the client's CPU, resulting in a denial of service. Mitigation To mitigate this issue, ensure your libssh2...

CVE-2026-55200

An out-of-bounds write vulnerability exists in the libssh2 client. A remote attacker can exploit this by sending a specially crafted SSH packet with an abnormally large length value. This corrupts the application's memory and can potentially allow the attacker to execute arbitrary code on the...

EUVD-2026-38582

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...

CVE-2026-54327

The Pi credential storage vulnerability (CVE-2026-54327) stems from a race in the auth.json write path. Between file creation/writes and the subsequent permission tightening, auth.json could be created or rewritten with permissions derived from the process umask, briefly exposing stored API keys ...

CVE-2026-54327

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...

CVE-2026-54327 Pi: Race condition in auth.json writes could expose stored credentials

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...

CVE-2026-54327 Pi: Race condition in auth.json writes could expose stored credentials

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...

EUVD-2026-38581

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

CVE-2026-54326 Pi: Potential XSS in HTML session exports via Markdown URL sanitization bypass

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

CVE-2026-54326

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

CVE-2026-54326 Pi: Potential XSS in HTML session exports via Markdown URL sanitization bypass

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

CVE-2026-54326

Pi HTML exports in Pi (pi-coding-agent) from versions 0.74.0–0.78.0 do not consistently reject unsafe Markdown link and image URL schemes, with C0 control characters in the URL scheme able to bypass checks. This can lead to a Cross-Site Scripting (XSS) risk in the exported static HTML if untruste...

CVE-2026-54328

CVE-2026-54328 (Pi Agent) affects Pi versions 0.74.0–0.78.1, where temporary npm or git extension installs used deterministic paths under the OS temporary directory. On Linux shared multi-user hosts, an untrusted user who can write to the shared tmp dir could pre-create the expected extension pat...

CVE-2026-54328 Pi: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary...

EUVD-2026-38580

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary...